The following article evaluates two models for providing purchasers of online digital content, including cloud computing services, with visual notice of contract terms and data collection practises. Visualisation of contract terms and privacy policies has the potential to provide cloud consumers with an improved means of understanding the contract terms they are accepting when entering into an agreement with a Cloud Service Provider (CSP). The following paper examines two concrete proposals or models for the visualisation of contract terms and privacy practises as compliance tools in the European context. The article focuses primarily on consumer and data protection law. Although the visualisation models are not currently binding or legally required, they start an important conversation on how such terms can be more effectively conveyed.

This article presents a structured and systematic approach for identifying and modelling compliance risks. The sophistication with which modern business is carried out and the unprecedented access to a global market means that businesses are exposed to increasing and diverse regulatory requirements in and across jurisdictions. Compliance with such requirements is practically challenging, partly due to the complexity of regulatory environments. One possibility in this regard is a risk-based approach to compliance, where resources are allocated to those compliance issues that are most risky. Despite the need for risk-based compliance, few specific methods and techniques for identifying and modelling compliance risks have been developed. Due to the lack of methodological and tool support, compliance risk identification often involves unstructured brainstorming, with uncertain outcomes. The proposed approach consists of a five-step process for the structured identification and assessment of compliance risks. This process aims at facilitating the identification of compliance risks and their documentation in a consistent and reusable fashion. As part of the process, the article provides a systematic approach for a graphical modelling of compliance risks, which aims at facilitating communication among experts from different backgrounds. The creation of graphical models can be partly automated based on natural language patterns for regulatory requirements. Furthermore, the structuring of the compliance requirement in a template aims at simplifying the modelling of compliance risks and facilitating a potential future automated model.

This paper presents an integrated method for risk and compliance assessment and its evaluation in a case study. The sophistication with which modern business is carried out and the unprecedented access to a global market means that businesses are exposed to diverse regulatory requirements in and across jurisdictions. Compliance with such requirements is practically challenging, partly due to the complexity of regulatory environments. One possibility in this regard is a riskbased approach to compliance where resources are allocated to those compliance issues that are most risky. Despite the need for risk-based compliance, few specific methods and techniques for identifying and modeling compliance risks have been developed. The lack of methodological and tool support means the compliance risk identification often involves unstructured brainstorming, with uncertain outcomes. As part of the integrated method, a structured approach for the identification of compliance risks and their graphical modelling is provided. The main goal of the structured approach is to facilitate the identification and assessment of compliance risks and their subsequent documentation in a consistent and reusable fashion. The method is applied in a case study with the aim of assessing the compliance concerns in adopting cloud services. Our experience in the case study demonstrates that the integrated method enables a better structuring in the identification of compliance risks and yields reusable results. As well, the method facilitates communication among different expertise and mitigates subjectivity in making compliance decisions.

Current implementations of electronic identity in Europe are rather diverse; they include state-driven identity management frameworks as well as private sector frameworks and different forms of public-private collaborations. This diversity may represent a major challenge for the deployment of information society services addressed towards the European internal market. This raises the question: How can we achieve interoperability of electronic identities across Europe, and potentially beyond Europe’s borders? This paper argues that the interoperability of electronic identity could be governed by a multi-stakeholder governance framework that brings together different parties with interests in the provision and use of electronic identities. Such a governance framework could, for example, consist in designing and operating a portal with common functionalities that allows interoperable authentication across multiple domains and contexts. Inspiration for the governance of such a portal could come both from existing successful implementations of electronic identity and from multi-stakeholder institutions that have proven useful in Internet governance.

Data protection legislation was originally defined for a context where personal information is mostly stored on centralized servers with limited connectivity and openness to 3rd party access. Currently, servers are connected to the Internet, where a large amount of personal information is continuously being exchanged as part of application transactions. This is very different from the original context of data protection regulation. Even though there are rather strict data protection laws in an increasing number of countries, it is in practice rather challenging to ensure an adequate protection for personal data that is communicated on-line. The enforcement of privacy legislation and policies therefore might require a technological basis, which is integrated with adequate amendments to the legal framework. This article describes a new approach called Privacy Policy Referencing, and outlines the technical and the complementary legal framework that needs to be established to support it.

Today, we are expected to remember a different user name and password for almost every organisation or domain we want to access on the Internet. Identity management seeks to solve this problem by making digital identities transferable across organisational boundaries. The basic idea is that the participating organisations will set up a collaboration (or circle of trust), which involves both identity providers and other service providers. However, there is a risk that identity management may reduce the users' level of privacy: can the collaborating organisations collect personal information and create a profile which includes the user's interaction with all collaborators? Who is responsible for the processing of personal data if many organisations collaborate? How can the user make informed decisions and consent to the processing of his data? This article seeks to address these issues from the perspective of European data protection law. The paper is split into two parts. This is part I, which introduces and analyses identity management with a focus on technical issues and risks to privacy. Part II will concentrate on data protection law, addressing the roles and responsibilities of collaborators and will analyse how to ensure a compliant interaction with the end-user.

Today, we are expected to remember a different user name and password for almost every organisation or domain we want to access on the Internet. Identity management seeks to solve this problem by making digital identities transferable across organisational boundaries. The basic idea is that the participating organisations will set up a collaboration (or circle of trust) which involves both identity providers and other service providers. However, there is a risk that identity management may reduce the users' level of privacy: Can the collaborating organisations collect personal information and create a profile which includes the user's interaction with all collaborators? Who is responsible for the processing of personal data if many organisations collaborate? How can the user make informed decisions and consent to the processing of his data? This report seeks to address these issues from the perspective of European data protection law.

Organizations that rely on ICT infrastructures need to maintain a high level of information security and protection from cyber-attacks. This is not only due to the self-interest of protecting business critical infrastructures; it is also due to laws that deal with information security. For this reason, technical and legal risks often need to be understood in combination. The RASEN project proposes an approach to integrate compliance and security risk assessment.

Internet top-level domains such as .com, .org, .de and .uk are central for the functioning of the Internet. So far, their number has been very limited, but this will change in the proximate future. After years of discussions, the Internet Corporation for Assigned Names and Numbers (ICANN) is opening up the application process for new generic top-level domains (gTLDs). Proposals are likely to include both genuinely generic names such as .music, .bike or .bank and geographic names and abbreviations such as .berlin, .paris and .nyc. In addition, several major corporations are expected to register their brand names as top-level domains. The introduction of a new gTLD is sought by many applicants in order to offer registry services in an expanding market for Internet domain names. In some cases new gTLDs may also facilitate novel and innovative business models. On the other hand, applying for a new gTLD can be quite costly, since an applicant has to disburse inter alia a substantial application fee and possible costs of an auction, in addition to start-up costs. Applicants therefore need to carefully assess and manage risks related to the project of introducing a new gTLD. From the applicant’s perspective, relevant risks can be related to the business model, to the applicant’s financial situation or to operational, technical and legal issues. The assessment of legal risks – which is the key focus for this paper – is essential for any applicant, for at least two reasons. First, it is in the interest of the applicant to identify and manage legal risks in an early phase when cost-efficient proactive action is still possible. In addition, all applicants even need to include a contingency plan in their applications, and the quality of this plan will count for the application’s success. This explicitly includes the relevance of any regulation, law or policy that might impact the project. Applicants are evaluated based on a scoring system, and in order to achieve the highest score, they must show that they have thoroughly identified the key risks and the chances that each will occur, including legal risks.

What is legal risk? This category of risk is often mentioned in the context of enterprise risk management and financial risk management. Legal risk also is a central concept in legal risk management. However, the definitions given for legal risk differ widely, and no generally accepted notion of legal risk seems to exist. The objectives of this paper are to review, systematize and analyse existing definitions of legal risk. This paper proposes a context-independent definition and classification of legal risk, based on norm theory.

What is legal risk? This category of risk is often mentioned in the context of enterprise risk management and financial risk management. Legal risk also is a central concept in legal risk management. However, the definitions given for legal risk differ widely, and no generally accepted notion of legal risk seems to exist. The objectives of this paper are to review, systematize and analyse existing definitions of legal risk. This paper proposes a context-independent definition and classification of legal risk, based on norm theory.

The increasing demand for business collaborations over the Internet (eBusiness) requires prospective partners to set up their cooperation in a timely fashion, without loosing time with negotiating complicated legal contracts. On the other hand, if problems arise, collaborators will want to fall back on a contractual framework that adequately addresses the main legal issues. Electronic collaborations cover a wide variety of application domains, potentially involving parties from different countries and thus from different legal backgrounds – much more complex than what most approaches to electronic contracts are able to cover, since they mainly focus on specifying selected operational terms. This paper will therefore outline an approach towards a contractual framework that combines operational electronic contracts with a more long-term legal framework, which caters for both organisational and business issues of electronic collaborations. This will be exemplified with a business scenario in the field of eLearning.

Establishing and operating a virtual organization implies a number of challenges from many different perspectives, including socio-economic, organizational, legal and computational issues. This paper focuses on the legal aspects with a particular view on legal risks with respect to intellectual property rights. A risk analysis with respect to legal issues can either be based on abstract legal reasoning or it can focus on the business reality and the specific characterizations of the virtual organization. This paper follows the latter approach; it presents selected findings of a legal risk analysis of a business scenario in the collaborative engineering field. The legal risk analysis was performed in collaboration between lawyers and other professionals in order to highlight how different legal and non-legal aspects relate to each other. Graphical models of risks and treatments were utilized in order to reduce communicational barriers between experts in this multidisciplinary setting.

This paper summarizes the findings of the study on privacy in relation to networked organisations and identity management, carried out by the Legal-IST project (www.legal-ist.org). The focus of the study is on privacy and data protection aspects of networked organisations and on the use of identity management technologies, in particular multi-organisation single sign-on and federated identity management. In principle, both networked organisations and organisational networks to facilitate identity management may involve the processing of personal data, particularly if the networks are set up to serve consumers. From a data protection perspective, the main issue to be addressed is how the responsibility for processing personal data can be shared among the participants and the degree to which a network participant is legally responsible for collective processing of personal data. The study provides an analysis of the networking parties’ duties and roles under data protection law and provides guidelines and model contracts to comply with the legal framework. The European data protection framework for collaborative networks is highlighted, including selected recommendations of the Art 29 Working Party of the European Directive on Data Protection. Organisational networks to facilitate identity management are discussed both in relation to government-built networks and, in particular, in relation to identity management schemes set up by a network of enterprises

Reputation systems can be used to provide relevant information about others when we interact with persons we do not know. However, reputation systems are challenged by concerns about privacy and data quality. This paper assesses how data protection law affects the design and the operation of reputation systems.